This disclosure relates to encryption and, more particularly, to methods and computer program products for maintaining encryption keystores, and encryption keystore maintaining systems that implement such methods and/or computer program products.
Communications transmitted over the internet or other public and private networks may be susceptible to tampering, message forgery, eavesdropping and the like. Confidential information—e.g., financial information such as credit card numbers, bank account numbers, and passwords; personally-identifying information such as social security numbers; and competitively-sensitive business information—is routinely transmitted via the internet and/or other public or private network where it may be intercepted or otherwise compromised. In order to reduce or prevent the theft of such confidential information, a number of encryption protocols have been developed for allowing two computing devices to establish a secure, encrypted link over the internet and/or other networks. One common protocol is the Secure Socket Layer (SSL) protocol and its updated successor, the Transport Layer Security (TLS) protocol (hereinafter, the SSL and TLS protocols and variants thereof will generically be referred to as “the SSL protocol” or “SSL” for ease of description). These protocols can be used (1) to authenticate one or both of the parties to the communication (i.e., ensuring that the computing device on the other end of the connection is in fact who it claims to be) and (2) to provide a secure, private communications link between the two computing devices that is not readily compromised.
The SSL protocol uses a two key cryptographic system to encrypt data. The first key is a public key which may be provided to anyone and which is used to encrypt a message; the second key is a secret, private key, known only to the recipient of the message, that is used to decrypt the message. Many web browsers (e.g., Microsoft Internet Explorer, Mozilla Firefox, etc.) support SSL, as do many, if not most, websites operated by commercial and government entities collecting confidential information over the Internet.
The SSL protocol may be used to establish a secure communications connection over which data can be sent through a network between two computing devices, most typically between a web browser on a client computer and a server associated with a website. Typically, with such communications, the client authenticates the server to verify the identity of the server, but the server does not authenticate the client. This is referred to as “single-sided authentication.” In other instances, however, “mutual authentication” may be performed where both the server and the client authenticate the other to verify the other's identity. Mutual authentication is also routinely used when two server computers communicate with each other.
To set up a secure SSL communications link using single-sided authentication as referenced above, the server will typically send a file known as a digital certificate to the web browser on the client computer. The digital certificate includes an embedded public key and the identity of the holder of the digital certificate (i.e., the owner or operator of the server). The digital certificate is issued by a trusted third party known as a “Certificate Authority” (CA), which attests that the public key contained in the digital certificate belongs to the holder noted in the digital certificate. Recognized Certificate Authorities include companies such as Verisign, Entrust, and GlobalSign. The web browser on the client computer will typically contain digital certificates provided by various Certificate Authorities and commonly referred to as “root CA certificates,” which are used to decrypt and read digital certificates received from servers (referred to herein as “server digital certificates”). Upon receiving a server digital certificate, the web browser selects the appropriate root CA certificate and uses it to decrypt the received digital certificate to verify that it is valid, and to extract the public key that will be used to set up the secure connection. Unfortunately, however, a number of error conditions can prevent establishment of an SSL link. If these error conditions occur, either the secure connection cannot be set up, or the connection may be possible but the client may have no assurance that the connection is in fact secure, which may cause the client to decline to establish the connection.